3 min read

The cost of security breaches

The cost of security breaches

To avoid security breaches' financial and reputational risks, companies must focus on prevention, hire skilled personnel, and use advanced security technologies.

 

The IT security risks survey

The IT security risks survey, conducted by Kaspersky Lab in collaboration with B2B International, involved more than 5500 companies across 26 countries. The survey targeted top managers and IT professionals to gather insights into security incidents, threats, and infrastructure vulnerabilities. The primary focus was on the financial impact of security breaches and the recovery cost.

 

Security breach statistics 

The survey revealed that 90% of businesses admitted to experiencing a security incident. Furthermore, 46% of these businesses reported losing sensitive data due to internal or external threats. These numbers highlight the pervasive and ever-present risk of security breaches.

 

The financial toll

The survey found that, on average, enterprises pay a hefty $551,000 to recover from a security breach. At the same time, small and medium-sized businesses (SMBs) spend an average of $38,000. These figures represent the direct cost required for recovery.

However, the costs extend beyond direct expenses. Indirect costs burden businesses, such as additional staffing, training, and infrastructure upgrades. Enterprises bear an average of $69,000 in indirect costs, while SMBs face $8,000 in other expenses. These figures highlight the financial implications of security breaches.

 

Consequences of breaches

The survey identified the top three significant consequences of a security breach:

  • Loss of access to business-critical information Businesses face disruptions and potential data loss when sensitive information becomes inaccessible due to breaches.
  • Damage to company reputation
    Security breaches can tarnish a company's image, eroding customer trust and confidence. Rebuilding a reputation takes time and resources.
  • Temporary loss of ability to trade
    Breaches can halt business operations temporarily, resulting in revenue loss and potential customer churn.

The most expensive breach types

The survey also shed light on the most expensive types of security breaches. Enterprises cited the following as their top three costly breach categories:

  • Third-party failure
    The consequences can be severe when a breach occurs through a third-party contractor or supplier. Businesses bear significant financial burdens to recover from such incidents.
  • Fraud by employees
    Internal security threats pose a substantial risk. Breaches resulting from fraudulent activities by employees can lead to significant financial losses.
  • Cyber espionage
    Attacks that steal sensitive information for strategic or competitive advantage can have financial implications. 

Read also: What is cyber extortion in healthcare? 

 

Common IT security threats

In analyzing the causes of data loss, the survey identified the following as the top three IT security threats:

  • Malware 
    Malicious software such as viruses and ransomware pose a constant threat to businesses. These attacks can result in data loss and financial damages.
  • Phishing attacks
    Social engineering techniques like phishing emails aim to trick individuals into revealing sensitive information. Businesses must remain vigilant to combat this threat.
  • Accidental data leaks by staff 
    Human error can lead to unintentional data breaches. Proper training and stringent data protection policies are necessary to mitigate this risk.

In the news

The expenses incurred in response to Change Healthcare's ransomware attack of February 2024 have surged. The current estimated cost ranges between $2.3 billion and $2.45 billion, which is a considerable increase of over $1 billion from the previous figure reported. Given that UHG has already shelled out almost $2 billion towards dealing with this issue so far, it marks one of their most severe financial challenges yet - largely due to an extended period of disruption caused by prolonged network downtimes across various components within their infrastructure. 

The aftermath of the Change Healthcare cyberattack and UnitedHealth's response shows how cybersecurity vulnerabilities in healthcare can have far-reaching consequences. Even though UnitedHealth showed resilience, the attack still had a financial impact that revealed potential economic risks for other large organizations as well. Directing extensive support towards addressing this issue head-on, particularly through financing solutions provided by large corporations like UnitedHealth, sets an unprecedented precedent that may influence Industry standards or even regulatory expectations going forward.

See more: Change Healthcare ransomware attack projected to cost $2.3 billion 

 

FAQs

What is a security breach and how does it relate to healthcare security? 

A security breach is an incident where unauthorized individuals gain access to sensitive information, systems, or networks. In healthcare, a security breach often involves protected health information (PHI) being accessed, disclosed, or stolen without authorization. 

 

What are the potential risks associated with security breaches under HIPAA?

  • Data exposure: Unauthorized access to PHI, leading to potential identity theft and privacy violations.
  • Non-compliance penalties: Fines and legal consequences for failing to protect PHI as mandated by HIPAA.
  • Financial losses: Costs related to breach remediation, legal fees, and potential settlements with affected individuals.
  • Reputational damage: Loss of trust from patients, partners, and the public due to the organization's failure to protect sensitive information.
  • Operational impact: Disruptions to healthcare services and systems, potentially affecting patient care and administrative functions.

How can healthcare facilities prevent security breaches to maintain HIPAA compliance? 

  • Implementing security measures: Utilizing encryption, firewalls, intrusion detection systems, and other security technologies to protect PHI.
  • Conducting regular risk assessments: Identifying and addressing potential vulnerabilities and threats to information security.
  • Training employees: Providing training on data security best practices, recognizing phishing attempts, and responding to potential breaches.
  • Developing and enforcing policies: Establishing clear policies and procedures for handling PHI and responding to security incidents.
  • Monitoring and auditing: Continuously monitoring network activity and conducting regular audits to detect and address security issues promptly.

See also: HIPAA Compliant Email: The Definitive Guide